There have always been bad guys on the Internet, that's nothing new. But as more and more people use the web for daily tasks, the amount of personal information out there is growing rapidly. That then feeds on itself that if you're in possession of personal information, you can potentially in turn wreak more havoc by using that information on more parts of the web.
Meanwhile, regulations like the GDPR, are putting much stricter obligations on businesses and ogranisations to report any breaches of security. Meaning not only does making your user's data more secure protect your users, it also protects you - the company behind the website - from hefty fines.
I've made some suggestions to a client recently that I thought I'd document here that just take the "usual" account management functions of a typical website up a notch to make it slightly harder for hackers to run riot.